0

I have a public key pubkey.asc. Also I have a file file.txt and its detached signature file.txt.asc.

I want to check the following steps:

  1. file.txt.asc is a signature for file.txt
  2. file.txt.asc was created using secret key from a keyring with public key pubkey.asc

I can do the 1st step using gpg --verify file.txt.asc file.txt. This command outputs public key fingerprint which was used to create a signature:

gpg: Signature made <date and time>
gpg: using RSA key <fingerprint>
...

I can see pubkey.asc fingerprint just by running gpg pubkey.asc.

Can I use this information and just check if fingerprints are equal to perform 2nd step? If not, how can I verify a file signature with given public key?

I saw this question about how to verify if signature matches public key, but it only works if key has extension .gpg which is not my case.

elo
  • 489
  • 3
  • 13
  • You might want to look at other questions like https://security.stackexchange.com/questions/86721/can-i-specify-a-public-key-file-instead-of-recipient-when-encrypting-with-gpg – Progman Feb 06 '22 at 21:45

1 Answers1

1

OpenPGP key's fingerprint is a SHA1 hash of public key itself plus some additional data, and it uniquely identifies the key (excluding collision cases, which are not known yet for OpenPGP key fingerprints).

So, yeah, seeing 'good signature made by key [fingerprint]' is enough to rely on fact that signature is made by the aforementioned key.

Nickolay Olshevsky
  • 13,706
  • 1
  • 34
  • 48